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POINT DECOMPOSITION PROBLEM IN BINARY ELLIPTIC CURVES 


KORAY KARABINA 


Abstract. We analyze the point decomposition problem (PDP) in binary elliptic curves. It 
is known that PDP in an elliptic curve group can be reduced to solving a particular system 
of multivariate non-linear system of equations derived from the so called Semaev summation 
polynomials. We modify the underlying system of equations by introducing some auxiliary 
variables. We argue that the trade-off between lowering the degree of Semaev polynomials and 
increasing the number of variables is worth. 


1. Introduction 

Point decomposition problem (PDP) in an additive abelian group G with respect to a factor 
base B C G is the following: Given a point0 R £ G, find Pi £ B such that 

m 

2=1 

for some positive integer m; or conclude that R cannot be decomposed as a sum of points in B. 
Discrete logarithm problem (DLP) in G with respect to a base P £ G is the following: Given 
P and Q = aP £ G for some secret integer a, compute a. DLP can be solved using the index 
calculus algorithm in two main steps. In the relation collection step, fix a factor base B, and 
find a set of points Ri = a{P + biQ for some randomly chosen integers a*, bi, such that Ri can 
be decomposed with respect to B, i.e., 

Ri = Pjj , Pij £ B. 

3 

Here, we may assume for convenience that Pij are not necessarily distinct, and only finitely 
many of them are non-identity. Note that each decomposition induces a modular linear de¬ 
pendence on the discrete logarithms of Q £ G and P t] £ B with respect to the base P. After 
collecting sufficiently many relation^, linear algebra step solves for the discrete logarithm of 
Q £ G, as well as the discrete logarithms of the factor base elements. Clearly, the success 
probability and the running time of the index calculus algorithm heavily depend on the de¬ 
composition probability of a random element in G, the cost of the decomposition step, and the 
size of the factor base. In particular, the overall cost of the relation collection and the linear 
algebra steps must be optimized with a non-trivial success probability. 

In 2004, Semaev m showed that solving PDP in an elliptic curve group is equivalent to 
solving a particular system of multivariate non-linear system of equations derived from the so 
called Semaev summation polynomials. Semaev’s work triggered the possibility of the existence 
of an index calculus type algorithm which is more efficient than the Pollard’s rho algorithm 
to solve the discrete logarithm problem in elliptic curves defined over F g n, which we denote 
ECDLP(g, n). Note that Pollard’s rho algorithm is a general purpose algorithm that solves 
DLP in a group G, and runs in time 0(^/|G[). Gaudry |7J showed that Semaev summation 
polynomials can be effectively used to solve ECDLP(g, n) in heuristic time 0(q * 2 ~ ™), where 

^We prefer to use point rather than element because elliptic curve group elements are commonly called points. 

2 This is roughly when the number of relations exceeds \B\. 
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the constant in O(-) is exponential in n. For example, Gaudry’s algorithm and Pollard’s rho 
algorithm solve ECDLP(g i , 3) in time 0(q 1 ' 33 ) and 0(q L5 ), respectively. Due to the exponential 
in n constant in the running time of Gaudry’s algorithm, his attack is expected to be more 
effective than Pollard’s rho algorithm if n > 3 is relatively small and q is large. Diem [2j 
rigorously showed that ECDLP(g, n) can be solved in an expected subexponential time when 
a(logg) Q < n < b^logq) 13 for some a,b,a,/3 > 0. On the other hand, Diem’s method has 
expected exponential running time O(e n ^ osn ^ 1/2 ) for solving ECDLP(2,n). As a result, index 
calculus type algorithms presented in mm do not yield ECDLP solvers which are more effective 
than Pollard’s rho method when q = 2 and n is prime. The ideas for choosing an appropriate 
factor base in [2] have been adapted in I3E31, and the complexity of the relation collection 
step have been analyzed. In both papers [5] and (10] , a positive integer m, which we call the 
decomposition constant, is fixed to represent the number of points in the decomposition of a 
random point in the relation collection step. The factor base consists of elliptic curve points 
whose ^-coordinates belong to an n'-dimensional subspace V <z¥ 2 ^ over F 2 , where n! is chosen 
such that mn' ~ n. We refer to PDP in this setting by PDP(n,m,n / ) throughout the rest of 
this paper. 

Faugere et al. [5] showed, under a certain assumption, that ECDLP(2,n) can be solved in time 
0(2 wn / 2 ), where 2.376 < w < 3 is the linear algebra constant. The running time analysis in 
[5] considers the linearization technique to solve the multivariate nonlinear system of equations 
which are derived from the (m + l)’st Semaev polynomial S m +i during the relation collection 
step to solve PDP(n, m, n'). Faugere et al. further argue that, Groebner basis techniques 
may improve the running time by a factor m in the exponent, where m is the decomposition 
constant. This last claim has been confirmed in the experiments in [5] for elliptic curves defined 
over F 2 ™ with n € {41,67,97,131} and m = 2. Petit and Quisquater’s heuristic analysis in [TO] 
claims that ECDLP(2, n) can asymptotically be solved in time 0(2 cn logn ) for some constant 
0 < c < 2. The subexponential running time in m is based on a rather strong assumption on 
the behavior of the systems of equations that arise from Semaev polynomials. In particular, 
it is assumed in [lOj that the degree of regularity D reg and the first fall degree TApj rst Faii of the 
underlying polynomial systems to solve PDP (n,m,n') are approximately equal. The analysis 
in m also assumes that n' = n a and m = n 1 “ for some positive constant a. Experiments 
with a very limited set of parameters ( n,m,n'), n € {11,17}, m € {2,3}, n' = \n/m\ were 
conducted in m in the favor of their assumption. 

A recent paper by Shantz and Teske m presented some extended experimental results on 
solving PDP(n, m,n') for the same setting as in the Petit and Quisquater’s paper [10]. In 
particular, m validates the degree of regularity assumption in m for the set of parameters 
(n, m, n') such that n € {11,13,15,17,19, 23, 29}, m = 2, n' = \n/m ~\; and for (n, m, n') such 
that n € {11,13,15,17,19,21}, m = 3 , n' = \n/m\. Shantz and Teske [T3j were able to 
extend their experimental data for the parameters (n,m,n / , A), n < 48, m = 2, and where 
A = n — mn 1 is chosen appropriately to possibly improve the running time of ECDLP(2,n). 
In another recent paper [8], Yun-Ju et al. exploit the symmetry in Semaev polynomials, and 
improve on the running time and memory requirements of the PDP(n, m, n') solver in [5], The 
efficiency of the method in [8] is tested for parameters (n, m, n') such that n < 53, m = 3, 
n' = 3,4, 5, 6. 

Petit and Quisquater’s heuristic analysis m claims that index calculus methods for solving 
ECDLP(2, n ) is more effective than the Pollard’s rho method for n > 2000, m > 4 and mn' ~ n. 
However, all the experiments reported so far on solving PDP(n, m, n') for the set of parameters 
(n, m, n', A) with A = n — mn' < 1 and m = 3 are limited to n < 19; see pT3l 18]. Similarly, all 
the experiments for the set of parameters (n, m, n! , A) with m = 3 are limited to n' < 6, which 
forces A > 2 for n > 20. In general, it is desired to have n! increasing as a function of n, rather 
than having some upper bound on n !, so that ~ mn 1 as assumed in the running time analysis 
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of ECDLP(2,n) solvers in [5^ 10]. Therefore, it remains as a challenge to run experiments on 
an extensive set of parameters (n, m, n') with larger prime n values, m > 4, and mn' ~ n. For 
example, it is stated in [ 8 , Section 4.1] that 

On the other hand, the method appears unpractical for m = 4 even for very 
small values of n because of the exponential increase with m of the degrees in 
Semaev’s polynomials. 

In a more recent paper [ 6 ], Galbraith and Gebregiyorgis introduce a new choice of variables 
and a new choice of factor base, and they are able to solve PDP with various n > 17, m = 4, 
n' = 3,4 using Groebner basis algorithms; and also with various n > 17, m = 4, n' < 7 using 
SAT solvers. 

In this paper, we modify the system of equations, that are derived from Semaev polynomials, 
by introducing some auxiliary variables. We show that PDP (n,m,n') can be solved by finding 
a solution to a system of equations derived from several third Semaev polynomials S 3 each of 
which has at most three variables. For a comparison, PDP(n, m, n') in E( F 2 «) with decompo¬ 
sition constant m = 5 would be traditionally attacked via considering the Semaev polynomial 
Sg with 5 variables, which is likely to have a root in V 5 , where V C F 2 " is a subspace of 
dimension n' = |_n/5j. On the other hand, when m = 5, our polynomial system consists of 
third Semaev polynomials S^.i (i = 1 , 2 , 3,4), and a total of 8 variables which is likely to have a 
root in V 5 x F^n, where V C IF 2 « is a subspace of dimension ]_ 77 ./ 5 j. As a result, our technique 
overcomes the difficulty of dealing with the (m + l)’st Semaev polynomial S m +1 when solving 
PDP (n,m,n') with m > 4. We should emphasize that choosing m > 4 is desirable for an 
index calculus based ECDLP(2, n) solver to be more effective than a generic DLP solver such 
as Pollard’s rho algorithm. Our method introduces an overhead of introducing some auxil¬ 
iary variables. However, we argue that the trade-off between lowering the degree of Semaev 
polynomials and increasing the number of variables is worth. In particular, we present some 
experimental results on solving PDP(n, m, n') for the following parameters: 

- n < 19, m = 4, 5, and n' = |_ n/m \. We are not aware of any previous experimental data for 
n > 15 and m = 5. 

- n < 26, m = 3, n' = [n/m\. We are not aware of any previous experimental data for n > 21, 
m = 3, and A = n — mn' < 2. 

We observe in our experiments that regularity degrees of the underlying systems are relatively 
low. We also observe that running time and memory requirement of algorithms can be im¬ 
proved significantly if the the Groebner basis computations are first performed on a subset of 
polynomials and if the ReductionHeuristic parameter in Magma is set to be a small number; 
see Section [5j We are able to solve PDP(15,5,3) instances in about 7 seconds (with 256 MB 
memory). Note that, PDP(15,5,3) is solved in about 175 seconds (with 2635 MB memory) 
in {12]. Our experimental findings with m = 3,4,5 extend and improve on recently reported 
results in mmm- 

The rest of this paper is organized as follows. In Section [2l we recall Semaev polynomials and 
their application to ECDLP(2, n). In Section[3l we describe and analyze a new method to solve 
PDP(n, m, n') in E( F 2 ™). In Section HI we present our experimental results. In Section HI we 
extend our results from Section [3] 

Acknowledgment. The author of this paper would like to acknowledge two recent papers 
Semaev [12] claims a new complexity bound 2 c ^ n lnn ) for solving ECDLP(2,n) under 
the assumption that the degree of regularity in Groebner computations of particular polynomial 
systems is D reg < 4. Semaev also shows that ECDLP(2,n) can be solved in time 2°^ nlnn ' 1 
under a weaker assumption that D reg = o(y/ to/I nn) The techniques used in p2] and in this 
paper are similar. In [9], Fosters and Yeo provide experimental evidence that the degree of 


3 





regularity of the underlying polynomial systems is likely to increase as a function of n, whence 
the conjecture D reg « -DFirstFaii may be false. 


2. Semaev Polynomials and ECDLP 


Let F 2 ™ = F 2 [cr]/ (f (< 7 )) be a finite field with 2 n elements, where f(a ) is a rnonic irreducible 
polynomial of degree-n over the field F 2 = { 0 , 1 }. let if be a non-singular elliptic curve defined 
by the short Weierstrass equation 

Ej F 2 " : y 2 + xy = x 3 + ax 2 + b, a,b £ F 2 ™. 


We denote the identity element of E by 00 . The Pth Semaev polynomial associated with E is 
defined as follows: 


( 2 . 1 ) Si(xi,x 2 ,...,Xi ) 


{x\X 2 + X 1 X 3 + x 2 x 3 ) 2 + X 1 X 2 X 3 + b if i = 3 

Res x (Si-j(xi,... ,Xi-j-i,X),Sj +2 (xi-j,.. .,Xi,X)) if 1 > 4, 


where 1 < j < i — 3. 


Let 


V = {ao + a\o + ■ ■ • + a n /_i<r n 1 : a* £ F 2 , n' < n} C F 2 " 


and define the factor base 

B = {P = (x,y) £ E : x £ V}. 

Recall that in PDP(n,m,n / ), we are looking for Pi = (xi,yi) £ B such that 
(2.2) P\-\ - P m = R, 


for some given point R = (xr, yn) £ E. We refer to (|2.2D as an m-decomposition of R in B. We 
expect that, on average, a random point R £ E has an m-decomposition in B with probability 
2 ™ /2 n m\ simply because \B\ ~ 2 n and permuting Pi does not change the sum ^ Pi (see [7]). 
As described in Section UJ DLP in E can be solved via an index-calculus based approach by 
computing about \B\ explicit m-decompositions and solving a sparse linear system of about \B\ 
equations. Therefore, the cost of solving ECDLP(2,n) may be estimated as 


(2.3) 


2 n m! 


C l c\U 

n,m,n' i ^ 


where C ntTn y is the cost of solving PDP(n,m,n 7 ), and w' = 2 is the sparse linear algebra 
constant. Semaev mi showed that a decomposition of the form ( 12 . 21 ) exists if and only 
if the x-coordinates of P t and R are zeros of the (m + l)’st Semaev polynomial, that is, 
S m+ i(xi,... ,x m ,xn) = 0. In the rest of this paper, we focus on solving PDP(n,m,n') (and 
estimating C n ^ n y) via modifying the equation reduced by S m +i. 


3. A NEW APPROACH TO SOLVE POINT DECOMPOSITION PROBLEM 
Let E/¥ 2 n , V, and B be as defined in Section [2j Recall that an m-decomposition of a point 

R = Pi + ■ ■ ■ P m > 

where R = (x.r,2/r) £ E, Pi = (xi,yi) £ B, can be computed (if exists) by identifying a tuple 
(xi,..., x m ) £ V m that satisfies 

(3.1) jSVn-i-i( xi, • • • , x m , xr ) = 0 

Note that x* belong to an n'-dimensional subspace of F 2 ^. Therefore, (13.lj) defines a system Sys! 
of a single equation over ¥ 2 n in m variables. In ©HD], the Weil descent technique is applied, 
and a second system Sys 2 of n equations over F 2 in run' boolean variables is derived from 
Sys 1 . The cost C n ^ m ,n’ of solving PDP(n, m, n!) in [5, 10) is estimated through the analysis 
of solving Sys 2 using linearization and Groebner basis techniques. Next, we describe a new 
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approach to derive another system Sys 3 of boolean equations such that a solution of Sys 3 yields 
an m-decomposition of a point R. 

Notation. Throughout the rest of this paper, we distinguish between two classes Semaev poly¬ 
nomials. The first class of Semaev polynomials is denoted by >S’ m , i (x i,..., x m ), which represents 
the m’th Semaev polynomial with m variables. The second class of Semaev polynomials is de¬ 
noted by S m> 2(x \,... ,x m _i,XR), which represents the m’th Semaev polynomial with m — 1 
variables (i.e., the last variable x m is evaluated at a number xr). 


3 . 1 . The case: m = 3 . Let R = (xr,i/r) G E. Notice that there exist Pi € B such that 

P\ + P-2 + Pi - R = og 


if and only if there exist Pj € B and P\2 G E such that 


( 3 . 2 ) 


P\+ P2 — P 12 = 00 
P3 + P12 - R = 00 


Therefore, a 3 -decomposition of R = P± + P2 + P 3 may be found as follows: 


( 1 ) Define the following system of equations derived from Semaev polynomials 


( 3 . 3 ) 


S3, l(xi,X 2 ,Xi 2 ) = 0 

S3,2(X3,X12,X R ) = 0 . 


Note that this system is defined over F2™ and has 4 variables xi, X2, x 3 , X12. 
( 2 ) Introduce boolean variables x,;.j such that 


n'—l 

x i = ^2 x hi aj ’ 

j =0 


for i = 1,2, 3, and 

n 

X12 = Yxnjoi. 
j =0 

Apply the Weil descent technique to (13.311 and define an equivalent system of 2 n equa¬ 
tions over F 2 with 3 n' + n boolean variables 

{xij : i = 1, 2,3, j = 0,... ri - 1} U {xi 2 ,j : j = 0,... n - 1}. 


Solve this new system of boolean equations and recover xi, X2, x 3 G F2™ from Xjj G F2. 


Note that the proposed method solves a system of 2 n equations over F2 with 3 n' + boolean 
variables rather than solving a system of n equations over F2 with 3 n' boolean variables. 


3.2. The case: m = 4. Let R = ( xr,i/r ) G E. Notice that there exist Pi G B such that 

P 1 + P2 + P3 + P4 — R = 00 
if and only if there exist Pi G B and P 12 G E such that 

( 3 . 4 ) [a + ft-Pi 2 = 00 

I P3 + P4 + P\2 — R — 00 

Therefore, a 4-decomposition of R = P\ + P 2 + P 3 + P 4 may be found as follows: 

(1) Define the following system of equations derived from Semaev polynomials 

f <S , 3 ) i(xi,x 2 ,xi 2 ) = 0 

\<S , 4 ) 2 (x3,X4,Xl2,X jR ) = 0 

Note that this system is defined over F 2 ™ and has 5 variables xi, X 2 , x 3 , X 4 , X 12 . 


( 3 . 5 ) 


5 


(2) Introduce boolean variables x^j such that 

n'—l 

Xi = ^2 Xija j , 
3=0 


for i = 1,2, 3,4, and 

n 

Xu = y^Xija j . 

3=0 

Apply the Weil descent technique to ()3.5I) and define an equivalent system of 2 n equa¬ 
tions over F 2 with An! + n boolean variables 

{xi,j : i = 1,2,3,4 j = 0,... v! - 1} U {x l2 ,j : j = 0,... n - 1}. 

Solve this new system of boolean equations and recover xi, x 2 ,X 3 , X 4 £ F 2 ™ from x *£ 

F 2 . 


Note that the proposed method solves a system of 2 n equations over F 2 with An' + n boolean 
variables rather than solving a system of n equations over F 2 with An' boolean variables. 


3.3. The case: m = 5 . Let R = (xr,ur) £ E. Notice that there exist Pi £ B such that 

P 1 + P 2 + P 3 + L 4 + P 5 — R = 00 

if and only if there exist Pi £ B and P 123 £ E such that 

/g gx f Pi + P 2 + P 3 - -P 123 = 00 

\ Pa + P 5 + P 123 — R = 00 

Therefore, a 5-decomposition of i? = Pi + P 2 + P 3 + P 4 + P 5 may be found as follows: 


(1) Define the following system of equations derived from Sernaev polynomials 


(3.7) 


Sa,i{xi,X 2 ,X3,Xi 2 3) = 0 
S 4j2 (x4,x 5 ,x 12 3,xr) = 0 


Note that this system is defined over F 2 ™ and has 6 variables xi, x 2 , X 3 , X 4 , X 5 , X 123 . 
(2) Introduce boolean variables Xij such that 


n'-l 

Xi = ^ Xij(T j , 

l=o 


for i = 1,2, 3,4, 5, and 

n 

X123 = y>i 23 ,^. 

3 =0 

Apply the Weil descent technique to ()3.7I) and define an equivalent system of 2 n equa¬ 
tions over F 2 with 5 n! + n boolean variables 


{xij : * = 1,2,3,4, 5 j = 0,... n' - 1} U { 0 : 123,1 : J = 0,... n - 1}. 

Solve this new system of boolean equations and recover x\, X 2 , X 3 , X 4 , X 5 £ F 2 " from 

Xij € F 2 . 


Note that the proposed method solves a system of 2 n equations over F 2 with 5 n! + n boolean 
variables rather than solving a system of n equations over F 2 with 5n' boolean variables. 
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3.4. Analysis of new polynomial systems. One of the methods to solve a multivariate non¬ 
linear system of equations is to compute the Groebner basis of the underlying ideal. Groebner 
basis computations can be performed using Faugere’s algorithms mm, which reduce the prob¬ 
lem to Gaussian elimination of Macaulay-type matrices M d of degree d. The Macaulay matrix 
Md encodes degree (at most) d polynomials, that are generated during Groebner basis com¬ 
putation. Therefore, the cost of solving a system of equations is determined by the maximal 
degree D (also known as the degree of regularity of the system) reached during the compu¬ 
tation. If N is the number of variables in the system, then the cost is typically estimated 
as O j where is the maximum number of columns in Mjj and w is the 

linear algebra constant. In general, it is hard to estimate D. In the recent paper m , it is 
conjectured that the degree of regularity D reg of systems arising from PDP(n,m,n') satisfies 
-D r eg = -DFirstFaii + o(l), where -DpirstFaii is the first fall degree of the system and defined as 
follows. 

Definition 3.1. [lOj Let R be a polynomial ring over a field K. Let F := {/i,. .., C R 
be a set of polynomials of degrees at most Ti>Fj rst F a ii - The first fall degree of F is the smallest 
degree -DFirstFaii such that there exist polynomials gi £ R with maxjdeg(/j) + deg(^i) = DpirstFaii. 
satisfying deg(X);=i 9ifi) < D F ir S tFaii but Y!i=\ thfi 0. 


Experimental studies in recent papers [10, 43] give supporting evidence that D reg ~ DFirstFaii - 
However, experimental data is yet very limited (see Section [T]) to verify this conjecture. In this 
section, we compute the first fall degree of the systems proposed in Section 13.11 Section 13.21 
and Section lT3l Our experimental results in Section |4] indicate that D reg ss -DpirstFaii- 

-DpirstFaii °f the system when m = 3 . In this case, one needs to solve the system of 2 n 
equations over F 2 with 3 n! + n boolean variables. The system of equations is derived by 
applying Weil descent to (13.31) that consists of two Semaev polynomials S;>j and S 3 , 2 - The 
monomial set of £ 3,1 (ati, x 2 , xi 2 ) is 

{l,xfx 2 ,xfxf 2 ,x 2 xf 2 , X 1 X 2 X 12 }• 

Therefore, the Weil descent of <S 3 ,i(xi, x 2 , x\fi) yields a 2 n' + n variable polynomial set {/,;} over 
F 2 such that max,;(deg(/j)) = 3. On the other hand, the monomial set of x\ ■ x 2 , X 12 ) is 

{Xl,x\x 2 2 , x\x\ 2 , X%Xi 2 , xf,x 2 x 12 }• 

Therefore, the Weil descent of x\-Ss : i(xi, x 2 , x\ 2 ) yields a polynomial set {l 7 )} over F 2 such that 
max,;(deg(T))) = 3. It follows from the definition that DFi rs tFaii ('S’s.i) < 4 because the maximum 
degree of polynomials obtained from the Weil descent of x± is 1. Similarly, the monomial set 
of S 3t2 (x 3 , Xl 2 ,X R ) is 

{l,xlxl 2 ,xl,xl 2 ,x 3 x V2 }. 

Therefore, the Weil descent of S 3 , 2 (^ 3 , TL 2 , xr) yields a n' + n variable polynomial set {/,} over 
F 2 such that max,(deg(/,)) = 2. On the other hand, the monomial set of • 53 , 2 ( 2 : 3 , ® 2 i, xr) 
is 

{ x 3’ x 3 x ’l2) a '3 a '12i 

Therefore, the Weil descent of x% ■ Ss t2 (xs,xi 2 ,XR) yields a polynomial set (i 7 )} over F 2 such 
that maxj(deg(i 7 j)) = 3. It follows from the definition that DFi rst Faii(S 3 , 2 ) < 4 because the 
maximum degree of polynomials obtained from the Weil descent of £3 is 2. We conclude that 
DFirstFaii < 4. 
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-DpirstFaii °f the system when m = 4 . In this case, one needs to solve the system of 2 n 
equations over F2 with An'+n boolean variables. The system of equations is derived by applying 
Weil descent to ( 13 . 51 ) that consists of two Semaev polynomials £34 and £4^. From our above 
discussion, T^FirstFaii ('S’3,1) < 4 . Now, analyzing the monomial set of £4,2^3, X4, £123, Tr), we 
can see that the Weil descent of £4,2 (X3, X4, X123, xr) yields a 2 n' + n variable polynomial set 
{fi} over F2 such that maxj(deg(/i)) = 6 (this follows from the Weil descent of the monomial 
(X3X4X123) 3 ). On the other hand, analyzing the monomial set of X3 ■ £42(#3, £4, £123, xr ), we 
see that the Weil descent of X3 ■ £ 4 , 2(^35 X4, X123, xr) yields a polynomial set {Fi} over F2 such 
that maxj(deg(i ? j)) = 6. It follows from the definition that -DFi rs tFaii(£4,2) < 7 because the 
maximum degree of polynomials obtained from the Weil descent of X3 is 1 . We conclude that 

T^FirstFall < 7. 


T>FirstFaii of the system when m = 5 . In this case, one needs to solve the system of 2 n 
equations over F2 with 5 n'+n boolean variables. The system of equations is derived by applying 
Weil descent to (J 3 . 7 I) that consists of two Semaev polynomials £4,1 and £4^. From our above 
discussion, -DpirstFaii(£4,2) < 7 . Now, analyzing the monomial set of £4,1 (xi, X2, X3, X123), we 
can see that the Weil descent of £4,1 (aq,X2,X3,X123) yields a 3 n' + n variable polynomial set 
{fi} over F2 such that maxj(deg(/j)) = 8 (this follows from the Weil descent of the monomial 
(X1X2X3X123) 3 ). On the other hand, analyzing the monomial set of X3 • £4,1 (xi, X2, X3, X123), 
we see that the Weil descent of X3 • £4,1 (xi, X2,X3, X123) yields a polynomial set {Fi} over F2 
such that maxj(deg(Fj)) = 8. It follows from the definition that T>FirstFaii (£4,1) < 9 because the 
maximum degree of polynomials obtained from the Weil descent of X3 is 1 . We conclude that 
T^FirstFall < 9 . 


4. Experimental results 

We implemented the proposed methods in Section [3] on a desktop computer (Intel(R) Xeon(R) 
CPU E31240 3.30GHz) using Groebner basis algorithms in Magma [T]. For each parameter set 
( n,m,n'), we solved 5 random instances of PDP over a randomly chosen elliptic curve E/ F 2 ™. 
In Table [U we report on our experimental results for solving PDP(n, m, n' = \n/m \) with 
m = 3,4,5. In particular, for each of these 5 computations, we report on the maximum CPU 
time (seconds) and memory (MB) required for solving PDP. We also report on the maximum of 
the maximum step degrees D (for which ) in the Groebner basis computations. Recall that in 
Section [ 3 l we estimated DpirstFaii < 4 when m = 3; i7>Fi rs tFaii < 7 when m = 4; and -C>FirstFaii < 9 
when m = 5. In our experiments, we observe that D reg ~ DpirstFaii- 

Let m = 5 and n' = \n/m\. Based on our experimental data, it is tempting to assume 
that the underlying system of polynomial equations has D reg ~ 9. Moreover, the system has 
N = 5 n' + n ~ 2n boolean variables. Therefore, when m = 5, we may estimate the cost of 
solving ECDLP(2,n) (see (|2.3p ) as 

on' 2 n m! fN + D reg — 1\ ^ v 

2 mn ' V D reg ) 

^2 n/b m\{2nf w + 2 w ' n/b 

fs 2 34 2 n / 5 n 27 + 2 2ti / 5 , 

where we assume w = 3 and w' = 2. For example, when n ~ 1200, the cost of solving 
ECDLP(2, n) is estimated to be 2 550 which is significantly smaller than the cost 2 600 of square- 
root time algorithms. 



Table 1. Experimental results on solving PDP(n,m,n / = \n/m\). Time in 
seconds; Memory in MB; D is the maximum step degree. 



m = 3 

m = 4 

m = 5 

11 

Time 

Memory 

D 

Time 

Memory 

D 

Time 

Memory 

D 

11 







0.520 

25.8 

7 

12 







0.670 

33.0 

7 

13 







0.890 

42.8 

7 

14 







4.260 

126.7 

8 

15 







350.100 

1839.5 

8 

16 




414.320 

5100.7 

7 

408.270 

2633.9 

8 

17 

1.690 

38.8 

4 

1395.170 

5632.8 

7 

506.340 

4050.3 

8 

18 

26.680 

264.5 

4 

497.770 

5632.8 

7 

920.790 

6186.9 

8 

19 

15.270 

321.8 

4 

509.330 

5634.1 

7 

1265.090 

8282.9 

8 

20 

49.350 

397.6 

4 







21 

163.100 

1228.3 

4 







22 

126.290 

1413.2 

4 







23 

248.820 

1668.7 

4 







24 

1266.610 

5142.2 

4 







25 

1623.180 

6363.8 

4 







26 

1645.78 

6596.9 

4 








5. Extensions and Optimization 

In Section [3j we introduced a single auxiliary variable to lower the degree of Sernaev polynomi¬ 
als. The degree of polynomials can further be lowered by introducing more auxiliary variables. 
As an example, we consider the case m = 5. Let R = (xR,yji) € E. as before. Notice that 
there exist Pi € B such that 


Pi + P 2 + Pi + P 4 + -P 5 — R — 00 


if and only if there exist Pi € B and Pi 2 , P 34 , P 50 £ E such that 


(5.1) 


P\ + P'2 ~ P 12 = OO 
Pi + P4 ~ PiA = OO 
P5 — P50 — R = OO 
„ P\2 + P34 + Ad = OO 


Therefore, a 5-decomposition of R = P± + P 2 + P 3 + P 4 + P 5 may be found as follows: 


(1) Define the following system of equations derived from Sernaev polynomials 

'S 3j i(x i,x 2 ,xi 2 ) = 0 
^ < <S3,l(z 3 , Z 4 ,®34) = 0 

S3,2(x 5 ,X 50 ,Xr) = 0 
1 <S , 3 ,l(® 12 , X34, X50) = 0 

Note that this system is defined over F2™ and has 8 variables xi,X2,x$, x4 . X5, X12, X34, X50. 

(2) Introduce boolean variables Xij such that 


n'—l 

x i='Yh x hi aj ’ 

3=0 
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Table 2. Experimental results on solving PDP(n,m,n / = \n/m\). Time in 
seconds; Memory in MB; D is the maximum step degree; -Dneuristic se t to be 
4 in Groebner basis computations. 



-^Heuristic- 1 


m = 5 

m 

= 5 

n 

Time 

Memory 

D 

Time 

Memory 

11 

2.380 

58 

4 



12 

4.150 

116.7 

4 



13 

6.390 

124.1 

4 



14 

9.510 

245.2 

4 



15 

393.170 

6421.9 

4 

7.130 

256.3 

16 

242.500 

5911.7 

4 

6.900 

320.4 

17 

365.460 

7063.8 

4 

6.660 

320.4 

18 

836.080 

8619.4 

4 

11.700 

394.6 

19 

531.420 

8864.2 

4 

45.570 

2505.3 


for i = 1,2, 3,4, 5, and 


n 



k=0 


for i = 12,34, 50. Apply the Weil descent technique to (15.21) and define an equivalent 
system of 4n equations over F 2 with 5n / + 3n boolean variables 


{xij : i = 1,2,3,4, 5 j = 0,... ri 


1} U {xij : i = 12,34,50, j = 0,... n — 1}. 


Solve this new system of boolean equations and recover aq, x 2 , £ 3 , aq, x§ G F 2 n from 
Xi,j € F 2 . 


Note that the proposed method solves a system of 4 n equations over F 2 with hrt! + 3n boolean 
variables rather than solving a system of n equations over F 2 with 5 n' boolean variables. Similar 
to the analysis in Section [3] we can show that HpirstFaii < 4. 

In Table El we report on our experimental results for solving PDP(n, m, n' = \n/m \) with 
m = 5 deploying only the third Semaev polynomials; see (15.21) . The time and memory results in 
the second and third column of TableElare obtained using the Groebner basis implementation of 
Magma with the grevlex ordering of monomials. We observe that the the maximum step degree 
is -Dreg = 4 for 11 < n < 19. The time and memory results in the last two columns of Table El 
are obtained using the Groebner basis implementation of Magma with the grevlex ordering of 
monomials in a boolean ring. We also introduced two modifications in the computations: We 
set the ReductionHeuristic parameter in Magma to 4; and we first computed Groebner bases 
of partial systems described by single equations in (15.21) . and merged them later. These two 
techniques yield non-trivial optimization both in time and memory. For a comparison, when 
n = 15 and m = 3, (Time, Memory) values decrease from (393.170,6421.9) to (7.130,256.3) 
when this modification is deployed in the computation; see Table El For the same parameters 
(n = 15 and m = 3), (Time, Memory) values are reported as (174.47,2635.4) in [12j. 

Based on our experimental data, we may assume that the underlying system of polynomial 
equations has D reg ~ 4 for all n. Moreover, the system has N = 5 n' + 3 n ~ 4n boolean 
variables. Therefore, when m = 5, we may estimate the cost of solving ECDLP(2,n) (see 
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(12.3D ) as 


,rrnt(N + D ng -iy v 
2 mn ' V D reg J 

^2 n / 5 m,\(4n) 4w + 2 w ' n / 5 
& 2 31 2 n / 5 n 12 + 2 2n / 5 , 

where we assume w = 3 and w' = 2. This running time outperforms square-root methods when 
n > 457. For example, when n ~ 550, the cost of solving ECDLP(2,n) is estimated to be 2 250 
which is significantly smaller than the cost 2 275 of square-root time algorithms. 
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